New York Neurology Practice Pays $25,000 to Resolve Alleged Risk Analysis Violation
The HHS’ Office for Civil Rights (OCR) has announced another settlement to resolve an alleged violation of the risk analysis implementation specification of the HIPAA Security Rule. Comprehensive Neurology PC, a small neurology practice in New York City that specializes in diagnosing and treating neurological conditions such as dementia, Parkinson’s disease, epilepsy, and memory loss, has agreed to settle the alleged violation and pay a $25,000 financial penalty.
The alleged HIPAA violation was identified by OCR during an investigation of a 2020 data breach that involved unauthorized access to the electronic protected health information (ePHI) of 6,800 individuals. OCR was informed of the data breach on December 17, 2020. Comprehensive Neurology discovered it had been attacked with ransomware on December 14, 2020, when staff were prevented from accessing patients’ medical records. The forensic investigation confirmed that the ePHI of 6,800 individuals had been exposed and potentially stolen in the attack, including names, clinical information, health insurance information, demographic information, Social Security numbers, driver’s license numbers, and state identification numbers.
OCR’s investigation revealed that Comprehensive Neurology had failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. §164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Comprehensive Neurology was given an opportunity to settle the alleged HIPAA violation informally and agreed to pay a financial penalty and adopt a corrective action plan. OCR will monitor Comprehensive Neurology for compliance with the corrective action plan for two years.
The corrective action plan requires Comprehensive Neurology to:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- Conduct a comprehensive, accurate, and organization-wide risk analysis
- Develop and implement a risk management plan to reduce the identified risks and vulnerabilities to a low and acceptable level
- Develop, implement, and maintain policies and procedures to ensure compliance with the HIPAA Rules
- Distribute those policies and procedures to members of the workforce
- Provide training to the workforce on those policies and procedures
- Submit an implementation report to OCR and annual reports confirming compliance with the corrective action plan
- Ensure that any data breaches or compliance violations are reported to OCR promptly
It has been a busy month of HIPAA enforcement for OCR. So far this month, OCR has announced four settlements with HIPAA-regulated entities to resolve alleged violations of the HIPAA Rules, and seven penalties this year under the Trump administration. All seven of the enforcement actions include penalties for risk analysis failures. The settlement with Comprehensive Neurology was OCR’s 12th investigation of a ransomware attack to result in a financial penalty for HIPAA compliance failures, and the 8th enforcement action under OCR’s risk analysis enforcement initiative. OCR explained that by focusing on risk analyses, the most commonly identified HIPAA violation, OCR can increase the number of closed investigations and highlight the importance of compliance with this foundational HIPAA Security Rule requirement.
“Effective cybersecurity requires proactively implementing the HIPAA Security Rule requirements before a breach or cybersecurity incident occurs,” said OCR Acting Director Anthony Archeval. “OCR urges health care entities to prioritize compliance with the HIPAA Security Rule risk analysis requirement.”
